Remote code execution vulnerabilities in the Laravel Voyager admin package pose a significant risk to users, as multiple flaws allow attackers to upload malicious files undetected. Despite being reported, the maintainers have failed to respond or implement patches. Affected: Laravel Voyager users, web application administration.
Keypoints :
- Three critical security flaws were discovered in the Laravel Voyager admin package.
- These vulnerabilities can be exploited by attackers to gain remote code execution (RCE) access.
- SonarSource reported the issues, but maintainers of Voyager have not responded to the findings.
- The vulnerabilities include File Upload Faker, XSS Express, and File System Freestyle.
- As of 2025, the issues remain unpatched, potentially affecting millions of users.
- Security researchers attempted to notify the maintainers multiple times without a response.
- Users are advised to take preventive measures or consider migrating to a different admin panel.
MITRE Techniques :
- TA0001 – Initial Access: CVE-2024-55417 (File Upload Faker) allows attackers to upload malicious PHP files disguised as images.
- TA0002 – Execution: CVE-2024-55416 (XSS Express) lets an admin’s browser execute attackers’ JavaScript via crafted links.
- TA0001 – Persistence: CVE-2024-55415 (File System Freestyle) enables attackers to read and delete files on the server without authorization.
Views: 3